prepared by they yu shu lee ern yu. motivation previous work remaining issues improvement
TRANSCRIPT
![Page 1: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/1.jpg)
Completion of a Light-weight Security Scheme for iSCSI
Prepared by They Yu ShuLee Ern Yu
![Page 2: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/2.jpg)
Outline Motivation Previous Work Remaining Issues Improvement
![Page 3: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/3.jpg)
Motivation Current security schemes for iSCSI:
IPsec File System Based Encryption (NTFS, EXT3 and etc.) CHAP, Kerberos, SRP
Current security schemes doesn’t worked well on mobile devices. Limited processing power and resources Frequently changes of IP address May not support IPsec or file system that provide
data protection mechanism
![Page 4: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/4.jpg)
Previous Work Embedded a light-weight encryption
scheme using Dragon Encryption algorithm and HMAC-SHA256 into iSCSI layer
Data transfer between initiator and target are secured.
![Page 5: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/5.jpg)
![Page 6: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/6.jpg)
Performance
00.10.20.30.40.5
512 1024 2048 4096 8192
Block Size (Byte)
iSCSI
iSCSI + IPsec
Our ProposedSolution
![Page 7: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/7.jpg)
Remaining Issues Phase 1 Authentication and Key
Exchange? Dragon is a symmetric key encryption
algorithm The default authentication scheme (CHAP)
does not secure enough
![Page 8: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/8.jpg)
![Page 9: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/9.jpg)
1. After the Link Establishment phase is complete, the authenticator sends a “challenge” message to the peer.
2. The peer responds with a value calculated using a “one-way hash” function.
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated.
4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3.
Authenticator
Peer
Challenge
Respond
Accept or Reject
![Page 10: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/10.jpg)
Code Identifier Length
Data …
Figure 1: A captured CHAP Challenge packet Figure 2: A captured CHAP response packet
![Page 11: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/11.jpg)
Information we gathered so far Username Server name Client and server IP The ID used to compute response Challenge and associated response
Try dictionary Attack
![Page 12: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/12.jpg)
Requirement in RFC 1994:- The client MUST answer any challenge it receives
ServerUser Attacker
Challenge
Response
Accept
Challenge
Challenge
Response
Response
Accept
![Page 13: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/13.jpg)
Improvement Propose to use EC-SRP (Elliptic Curve
Cryptography - Secure Remote Password) in the In-Band Initiator-Target Authentication phase.
![Page 14: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/14.jpg)
SRP to EC-SRP A password authentication and key exchange
protocol. SRP (Secure Remote Password) is already used
for iSCSI Authentication EC-SRP is SRP implementation using ECC (Elliptic
Curve Cryptography) EC-SRP need lesser amount of processing power.
![Page 15: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/15.jpg)
Further enhance the research paper “A Lightweight Virtual Storage Security Scheme for Mobile Devices” Propose to use EC-SRP (Elliptic Curve Cryptography -
Secure Remote Password) in the In-Band Initiator-Target Authentication phase.
Comparison between various type of Secure Remote Password (SRP) with EC-SRP
![Page 16: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/16.jpg)
Bruce Schneier and Mudge. Cryptoanalysis of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) .
An implementation of the attack described in this paper. http://stealth.7350.org/7350pppd.tgz .
J. Satran, K. Meth, C. Sapuntzakis, M. Chadalapaka, E. Zeidner.: Internet Small Computer Systems Interface (iSCSI), Request For Comments 3720, April 2004.
A. Menezes and S.A. Vanstone. Elliptic curve cryptosystems and their implementations. Journal of Cryptology, 6(4):209{224, 1993.
D. Jablon. Extended password methods immune to dictionary attack. In WETICE '97 Enterprise Security Workshop, Cambridge, MA, June 1997.
![Page 17: Prepared by They Yu Shu Lee Ern Yu. Motivation Previous Work Remaining Issues Improvement](https://reader036.vdocuments.site/reader036/viewer/2022062517/56649e915503460f94b97567/html5/thumbnails/17.jpg)
End